Skills
skills/nicepkg/ai-workflow/youtube-transcript/Gen Agent Trust Hub

youtube-transcript

Warn

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADS
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on the youtube-transcript-plus npm package, which is not from a predefined trusted source or organization. This introduces a supply-chain risk if the package were to be compromised.- Indirect Prompt Injection (LOW): The skill ingests untrusted data from external YouTube transcripts. While this content could contain malicious instructions designed to influence the agent, the skill itself lacks dangerous capabilities to execute those instructions.
  • Ingestion points: transcript.js via YoutubeTranscript.fetchTranscript.
  • Boundary markers: Absent; transcripts are logged directly to the console.
  • Capability inventory: Restricted to console.log for output; no file-system write, network exfiltration, or command execution capabilities are present in the provided scripts.
  • Sanitization: None; data is processed and displayed as-is.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 10:03 AM